feat: move some services to other domain

hosts/ward/guests/adguardhome.nix

@@ -5,8 +5,7 @@
   pkgs,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
-  adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}";
+  adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
 
@@ -81,8 +80,8 @@ in {
         # wireguard address for influxdb
         rewrites = [
           {
-            domain = sentinelCfg.networking.providedDomains.influxdb;
-            answer = sentinelCfg.repo.secrets.local.personalDomain;
+            domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+            answer = config.repo.secrets.global.domains.me;
           }
         ];
         filters = [

hosts/ward/guests/forgejo.nix

@@ -6,8 +6,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  # XXX: other domain on other proxy?
-  forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
+  forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
     config.services.forgejo.settings.server.HTTP_PORT

hosts/ward/guests/kanidm.nix

@@ -3,9 +3,9 @@
   nodes,
   ...
 }: let
-  inherit (sentinelCfg.repo.secrets.local) personalDomain;
+  inherit (config.repo.secrets.global) domains;
   sentinelCfg = nodes.sentinel.config;
-  kanidmDomain = "auth.${personalDomain}";
+  kanidmDomain = "auth.${domains.me}";
   kanidmPort = 8300;
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@@ -122,24 +122,29 @@ in {
         displayName = "Immich";
         originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+        preferShortUsername = true;
+        # XXX: PKCE is currently not supported by immich
+        allowInsecureClientDisablePkce = true;
         scopeMaps."immich.access" = ["openid" "email" "profile"];
       };
 
       # Grafana
       groups."grafana.access" = {};
-      groups."grafana.admins" = {};
       groups."grafana.editors" = {};
+      groups."grafana.admins" = {};
       groups."grafana.server-admins" = {};
       systems.oauth2.grafana = {
         displayName = "Grafana";
         originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
         scopeMaps."grafana.access" = ["openid" "email" "profile"];
-        # FIXME: use new group claims k thx
-        supplementaryScopeMaps = {
-          "grafana.admins" = ["admin"];
-          "grafana.editors" = ["editor"];
-          "grafana.server-admins" = ["server_admin"];
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup = {
+            "grafana.editors" = ["editor"];
+            "grafana.admins" = ["admin"];
+            "grafana.server-admins" = ["server_admin"];
+          };
         };
       };
 
@@ -167,7 +172,7 @@ in {
       groups."web-sentinel.influxdb" = {};
       systems.oauth2.web-sentinel = {
         displayName = "Web Sentinel";
-        originUrl = "https://oauth2.${personalDomain}/";
+        originUrl = "https://oauth2.${domains.me}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
         scopeMaps."web-sentinel.access" = ["openid" "email"];
         claimMaps.groups = {

hosts/ward/guests/radicale.nix

@@ -1,10 +1,5 @@
-{
-  config,
-  nodes,
-  ...
-}: let
-  sentinelCfg = nodes.sentinel.config;
-  radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
+{config, ...}: let
+  radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
     8000

hosts/ward/guests/vaultwarden.nix

@@ -1,11 +1,9 @@
 {
   config,
   lib,
-  nodes,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
-  vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}";
+  vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
     config.services.vaultwarden.config.rocketPort